Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

FTC Chairman Leibowitz was the first to testify, describing the FTC’s recent efforts to protect consumer privacy through law enforcement, education, and policy initiatives. Leibowitz then set forth some highlights from the Staff Report on consumer privacy and concluded with a discussion of issues related to the “Do Not Track” proposal. Leibowitz enumerated five critical principles that should be included in any Do Not Track system:

• Any Do Not Track system should be implemented universally, so that consumers do not have to repeatedly opt out of tracking on different sites;
• The choice mechanism should be easy to find and easy to use;
• Any choices offered should be persistent and should not be deleted if, for example, consumers clear their cookies or update their browsers;
• A Do Not Track system should not only allow consumers to opt out of advertising, it should allow them to opt out of tracking altogether; and
• A Do Not Track system should be effective and enforceable without technical loopholes.

Chairman Leibowitz testified he is “sort of agnostic whether the private sector does Do Not Track or Congress requires it.” To read the FTC’s prepared statement on the state on online consumer privacy, click HERE.

Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, testified that “the Department has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet.” Both the Department of Commerce and the FTC have been encouraging self-regulation, while suggesting congressional action might be needed as a backstop.

Mr. Strickling, however, urged Congress to enact new legislation setting forth baseline consumer data privacy protections—that is, a "consumer privacy bill of rights" consisting of comprehensive Fair Information Practice Principles (FIPPs). FIPPs should be a collection of agreed-upon principles for the handling of consumer information that would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection. Additionally, the new legislation should provide the FTC with the authority to enforce any baseline protections. Lastly, the new legislation should create a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections. To read Mr. Strickling's testimony, click HERE.

The second panel consisted of non-government witnesses, including both consumer advocates and corporate representatives. Erich D. Andersen, Vice President and Deputy General Counsel of Microsoft, testified that “privacy is no longer about being ‘let alone.’ Privacy is about knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure.” John Montgomery, Chief Operating Officer of GroupM Interaction, stated that his company “want[s] to build consumer trust in the online experience” and that “consumers should be able to choose whether and how their data is collected or used for online behavioral advertising.” Ashkan Soltani, a researcher and consultant, noted that today’s technical defenses to online tracking are not able to stop leading tracking technologies. “To be effective,” Mr. Soltani testified, “privacy protections for consumers online will likely require both a technical and policy component, working in tandem.” Barbara Lawler, the Chief Privacy Officer of Intuit, focused on the need for balance between consumer participation, the control of information, and continuing data driven innovation, stating that the key to ensuring the proper balance is “earning the customers’ trust.” Lastly, Chris Calabrese, Legislative Counsel for the American Civil Liberties Union, testified that if the collection of data is allowed to continue unchecked, capitalism will build “a complete surveillance state online.” “Without government intervention,” he testified, “we may soon find the internet has been transformed from a library and playground to a fishbowl, and that we have unwittingly ceded core values of privacy and autonomy.”

To view the hearing on the U.S. Senate Committee on Commerce, Science, and Transportation website, click HERE.
 

Some thoughts and observations in no particular order:

• The Hard Questions. This Inquiry seeks to tackle practically all of the “hard questions” in privacy as it relates to commerce. Its breadth is impressive.

• Balance Between Commerce and Privacy. Based on how it is written, the topics discussed and the framing of the questions, it is clear that the DOC seeks to find the proper balance between commercial innovation/burden and individual privacy. It is interesting that these questions are being considered in a commercial context rather than from a “civil rights” point of view. This is consistent, of course, with the U.S. approach. However, considering that one of the issues it addresses is international privacy laws and regulations, it begs the question of whether the lack of consistency in privacy regulations globally (and difficulties related thereto) is “baked into the cake.”

• The Multiplicity of Privacy Laws. One of the key business problems the Inquiry seeks to explore is compliance with privacy laws and jurisdictional conflicts. The Inquiry ask questions about the multi-jurisdictional nature of handling person information, both on a national and state level within the United States, and on an international level with the rest of the world.  It also provides a series of questions that seek to explore the effectiveness of the U.S. sectoral approach to privacy regulation. The compliance burden arising out of multiple (and sometimes conflicting) privacy regulatory regimes has vexed and continues to vex multinational corporations that handle personal information.

From a commercial and compliance point of view this issue is extremely important. The reality is that for multinational companies (which these days can be very large and very small -- a website that is accessible by foreign data subjects could put a company in the "multinational" category), because of transborder data flow, it is extremely difficult, if not impossible (when actual cost is taken into account), to even know what laws apply to the organization. In fact, the legal environment is constantly changing due to new laws at multiple jurisdictional levels, and due to organizational changes concerning the type, handling and location of personal data interacting with a company. Even if companies have the ability to ascertain what laws apply to them, compliance is also very difficult and expensive (and some would maintain again that it is impossible to achieve 100% compliance).

Based on the questions posed the Inquiry seems to recognize the disconnect between applicable privacy laws based on arbitrary and imaginary borders, and the completely borderless environment in which information exists in commerce.  Will Commerce conclude that the multiplicity of privacy and security laws is an impediment or obstacle to the growth of the global economy? It will be interesting to see if the coming report will have recommendations on how to harmonize existing regulatory regimes while still addressing privacy issues important to particular countries.  

• Cloud Computing and Borderless Data. Speaking of ethereal data processing-related concepts, the Inquiry specifically references cloud computing and web-based services, and appears to address the reality that in the 21st century data is borderless, but laws based on arbitrary location-based jurisdictional triggers are not.

• Notice & Consent Model Outdated? The Inquiry also appears to recognize concerns about the weaknesses of the current notice and consent privacy regime, and inquires about a “use-based” consumer privacy model. A used-based model recognizes the view that privacy is context-based rather than static. A use of information in one context may be consistent with the data subject’s expectation of privacy, but the same information may violate privacy in another context. Putting up pictures on Facebook of a late night out with friends and sharing with those friends does not violate privacy principles, but allowing the data subject’s employer to see those photos might. It is not clear, however, whether a “use-based” system would provide more effective protection or whether it could be done cost-effectively without massive standardization and cooperation between a multiplicity of entities that might handle personal information in the midst of a transaction. To achieve this type of regime, which effectively gives the data subject more control over its data, technology solutions may be necessary.  Coincidentally, as discussed below, the Inquiry also asks questions concerning the role of technology in protecting privacy.

• The Role of Technology in Managing and Protecting Privacy. The Inquiry asks questions about “privacy-enhancing technologies” that would allow data subjects to manage the information they are sharing, allow for the auditing of compliance with privacy policies and expressed user preferences, and provide privacy notices to individuals concerning the use or disclosure of their personal information. To the extent that PETs empower individual data subjects, the challenge of course is getting data subjects to understand how they can use these technologies, and providing notice of what will happen to their personal information if they fail to do so. One interesting question in the Inquiry relates to whether technology designers are proper incentivized to build privacy-related functionality into the design of their technology. I think this question gets to the crux of one of the key problems with PETs: if the technologies are not already built into the business processes from the start, is it feasible and cost-effective to implement efficacious PETs.

• Recognition of the Small-Medium Business Challenges.  The Inquiry poses a series of questions concerning the impact of privacy and compliance on small/medium businesses and start-ups.  I think this issue is often overlooked in terms of how commercial innovation might be stifled by privacy requirements that are too costly.  Much of the innovation over the past 20 years has come from start-up companies utilizing the efficiencies of information technology and the Internet.  Do strict privacy requirements dissuade entrepreneurs from starting their companies or pose insurmountable obstacles due to compliance expenses?  Some would argue that innovation has not been stifled by pointing to the existence of Facebook, Twitter, MySpace, all of which are pushing the boundaries of privacy.  However, this begs the question because the existence of these companies is, in part, why the Inquiry is necessary.  Beyond start-ups, the reality is most small businesses (even your local laundry mat) store, process and transmit personal information of some sort.  Can laws and standards be created that are "one-size-fits all?"  If not, considering the volume of small businesses in the U.S. (compared to large companies), if you exempt or limit the obligations of small businesses, are you leaving a massive privacy consumer privacy gap? 

Overall, the ultimate impact of the Inquiry is unclear. The Inquiry specifically indicates that it is not being circulated for the specific purpose of creating legislation. However, it is possible that useful recommendations or guidance could come out of the DOC’s eventual report that could serve as the basis of future regulation, best practices or standards that relate to privacy in the context of modern commerce. It also must be recognized that this Inquiry is happening right in the middle of the political area. There will be entrenched and wealthy special interests on both the commerce and consumer side that will seek to influence the DOC and its report. The report will be less useful if it simply yields the same positions that have been espoused by various interests on either side of the spectrum. The hope is that the DOC report will get beyond the status quo and offer guidance and the foundations for public policy (and law) that actually move the ball forward and serve to address the significant privacy challenges the consumers and the commercial community face.